Suddenly, you’ve noticed that your various internet browsers are telling you all sorts of websites aren’t secure. You’re might be a little bit worried by this, especially if it’s your own website you’re receiving warnings about. What’s going on?
Google’s Chrome browser, which is currently the most widely used browser, is the browser that’s getting all the attention. Chrome version 68 which launched in July was updated to label every site using HTTP (the standard Internet transfer protocol) as ‘Not Secure’. It labels sites using HTTPS (secure and encrypted internet protocol) as Secure in green with a padlock icon.
The trouble with this move is that it assumes a certain level of background knowledge about what is happening. Sure, in time, the general public will become educated to understand these warnings, but for the majority of users who probably don’t know the ins and outs of Internet transfer protocols, it can be a little scary.
The fact is that the majority of websites over the last couple of decades have been using HTTP – and yes, it’s not encrypted, and yes, it’s easier for hackers to intercept data transmitted using this protocol, but by and large, it’s served us ok for 20+ years. So should you panic if Chrome tells you a website isn’t secure? I don’t think so; you can happily use it, just be aware that if you submit any data through a form on a HTTP connection, it’s LESS secure than if the site were using HTTPS and there’s a little padlock icon in your browser address bar. You’ll need to make the call as to whether you take the risk. It’s even more important if the site you’re using is selling anything and you’re submitting payment details. It’s probably worth saying, however, that the fewer sites on the web that aren’t secured with HTTPS may receive more attention from hackers as their options dwindle!
Why has this change happened?
Until recently, the majority of sites on the Internet used HTTP. Things have progressed though, and now the majority of websites encrypt their data using HTTPS. This has happened in part as a response to another change Google made which was to give a small SEO boost to websites that were secure. Also, free certificates are more readily available and lots of webhosts and website builder sites provide SSL certificates free as standard (SSL certificates are what makes it possible for a site to operate over HTTPS). This has led Google to mark sites that aren’t on HTTPS as ‘not secure’, as they’re now the minority. This in turn will speed up the rate at which secure sites become standard.
Currently, as stated above, they also mark sites that are secure in green, but this will actually be dropped later this year – they’ll leave you to assume that if a site doesn’t have ‘not secure’ in the address bar, that it is in fact, secure. I think this is a mistake, and that it’s better to be clear rather than let users assume anything. It’s not very nuanced to announce that all websites running on HTTP are ‘NOT SECURE’! It implies that it’s on the same sort of urgency level as imminent infection by a virus, or that your personal information will almost certainly be stolen! ‘Unsecured’ might have been a better label, but hey… we live in an age of disclaimers and legal-based fear.
You can of course, click the warning to get an explanation of what the warning means, but I can bet that warning has prompted a lot of users to close a site immediately.
The upshot of all these rather scary warnings will be to expedite the change of all sites on the web to use HTTPS, and of course a more secured web is definitely a good thing. But I’m sure a lot of users could just do without the panic-inducing warnings!
What about other browsers?
Well you can bet that whatever the market leader does, the others will follow suit. Currently, Safari only warns you when you’re interacting with an insecure login form, and this works the same on iOS as on a Mac.
Firefox 51 onwards displays a grey padlock with a red line through it in the address bar to indicate a login form is not secured, but they will soon start adding context messages right below the form field to warn you.
Both these popular browsers will eventually follow Google to warn about all unsecured HTTP connections. The amount of anxiety they produce by their messages may vary from browser to browser! I guess we’ll all get with the program pretty soon.